Digital trade flows—which were practically nonexistent just 15 years ago—now play a central role in global trade and commerce.[1] Yet efforts to better assess the extent and value of data flows, and the impact of government restrictions on them, are frustratingly few and far between. A survey from Japan on the impact of China’s cybersecurity law (CSL) and the European Union’s General Data Protection Regulation (GDPR) is a notable and welcome exception. Surveys from the Organization for Economic Cooperation and Development (OECD) and the Inter-American Development Bank (IDB) provide similarly valuable insights into the impact of barriers to cross-border data flows and digital trade.

This briefing analyzes these surveys in order to make the case for policymakers in key countries and international organizations to expand their use of surveys to better identity, measure, and analyze cross-border data flows and digital trade—and barriers to them. This is particularly important, as what gets measured and surveyed is more likely to get managed and addressed. Countries that value an open, competitive global digital economy need to do more both at home and with like-minded regional and global partners, such as at IDB and OECD, to fill this information gap to better inform domestic policy debates and trade negotiations at the World Trade Organization (WTO) and elsewhere.

Data will naturally flow across borders unless governments enact barriers. Flows of data are important, as they stimulate growth and productivity.[2] They are also critical to trade in all sectors—not just tech—as the Swedish Board of Trade makes clear in its report No Transfer, No Production: a Report on Cross-border Data Transfers, Global Value Chains, and the Production of Goods.[3] Despite the large and growing role of data flows, a growing number of countries are making it harder and costlier—or even illegal—to transfer data.[4]

However, there remains a large gap in the understanding of the extent and impact of these restrictions. Econometric modeling is the most common tool, providing macro-level estimates of the economic impact of restrictions.[5] Firm-level interviews and surveys are a micro-level tool policymakers and other stakeholders should use more extensively to complement formal modeling and fill the knowledge gap regarding the specific impacts.

Surveys are useful, because they allow firms to quantify the levels and values of data flows without disclosing commercially sensitive information. Survey responses provide details about how different firms use and move data to create value, and they provide subjective assessments that help policymakers understand the harms that transfer restrictions create. They also help calibrate the underlying estimates econometric modeling is based on, such as firm data intensity and ad valorem equivalents (i.e. the tariff or tax rate equivalent) of data-flow restrictions.

These surveys come at an important time for the global digital economy. Over 70 countries are negotiating potential new rules on e-commerce and digital trade at the WTO (as well as in other bilateral and regional trade negotiations). The initial insights from these surveys show why there needs to be rules to protect the flow of data, given its critical role in digital trade. If countries are truly committed to updating the global trading system, and making it relevant for modern business, it needs to include strong rules around data flows. In addition, given the growing digitalization of the global economy, policymakers and other stakeholders should build on these surveys to better capture, measure, and analyze the growing role and value of cross-border data flows, digital trade, and e-commerce, and the impact of barriers to them.

Japan: Survey of Firms on the Impact of the European Union’s General Data Protection Regulation and China’s Cybersecurity Law

In the report Effects of Regulations on Cross-border Data Flows: Evidence from a Survey of Japanese Firms, Eiichi Tomiura (Research Institute of Economy, Trade and Industry, (RIETI)), Banri Ito (RIETI), and Byeongwoo Kang (Hitotsubashi University) provided new and valuable insights into the impact of two new, major data governance laws—the European Union’s GDPR, enacted in 2016, and China’s 2018 CSL—on a large set of Japanese firms.[6] Regarding CSL, it also covers firms affected by similar restrictions in other countries, such as Vietnam, India, and Russia. The report also demonstrates what the Information Technology and Innovation Foundation (ITIF) has long argued: These restrictive data regulations negatively affect firms by limiting their ability to use and transfer data.

The survey (conducted from April to August 2019) covers 4,000 medium- and large-sized firms, which is far larger than other surveys. The questionnaire was sent to nearly 20,000 firms Japan’s Ministry of Economy, Trade and Industry regularly surveys as part of annual statistical processes. It did not target small firms on the basis that they mainly target domestic customers. While the main focus was on manufacturers, the firms represent a broad range of sectors, including wholesale and information-related service industries—which reflects the reality that data and data flows are important for all sectors, not just tech.[7] This is especially true for modern manufacturing’s use of cloud computing and artificial intelligence.[8] Of the information-related service sectors, it includes firms in the software (391); information processing service (392); Internet service providers (401); academic, research, and development institutions (710); and engineering (728) subsectors. The report is also interesting in that it tries to indirectly gauge the extent of a firm’s data intensity and reliance on cross-border data flows by asking them about their use of data-intensive technologies, such as the Internet of Things. In relation to barriers, the survey asked simply whether the regulations had some impact on the ability to move data internationally, had no impact, or the firms simply didn’t know. It then asked follow-up questions based on these responses. While it recognized the importance of specific questions regarding the cost of restrictions, it did not ask this type of question, as information-demanding quantitative questions tend to result in many response rejections or no-response cases.

GDPR is a central focus of the survey because at its heart are territorial restrictions on where European Union citizens’ personal data may be transferred. The European Commission relies on country-by-country adequacy determinations, whereby it certifies that countries provide an adequate level of protection equivalent to what Europe provides at home. For example, data flows between the United States and EU are covered by the EU-U.S. Privacy Shield Framework. Outside of adequacy determinations, firms rely on certain legal tools to manage the transfer of EU personal data, such as binding corporate rules and standard contractual clauses. The EU’s process for assessing adequacy is unclear. So far, it includes a disparate collection of 12 countries that are mainly former British colonies, such as the Faroe Islands, Guernsey, and the Isle of Man.[9] Nor is the time frame clear. Morocco is still waiting, having requested an adequacy decision over a decade ago in 2009.[10]

All this points toward the conclusion that the EU’s case-by-case, top-down approach to pushing other countries to harmonize their approach to privacy—instead of focusing on holding firms doing business in the EU accountable for how they manage data, regardless of where they store it—is untenable in the long term. For example, it’s inconceivable China will ever be deemed adequate.[11] A glaring omission in the EU’s approach is that it has not applied the same scrutiny to EU-China data flows as it has to those between itself and the United States. That is surprising given the fact that there do not appear to be any legal restrictions governing Chinese government access to data.

Meanwhile, the CSL provides a broad and vague framework for China’s government to intervene and restrict the flow of data that underpins a broad range of trade and economic activity.[12]The Economist aptly described this overarching law as a “techno-nationalist Trojan horse.”[13] The full extent of the impact is unclear, as China is still enacting various implementing regulations, such as for the cross-border transfer of personal data, and ramping up enforcement.[14] The CSL and its related policies show China wants the local storage of data to become the default setting, and transfers the exception. It is doing this both explicitly (through legal requirements for data localization for certain types of data) and implicitly (by making the data-transfer process uncertain, difficult, and costly). The CSL requires a broad range of firms deemed “critical information infrastructure” and “network operators” (while not yet clearly defined, it’s likely these terms will cover a range of commercial sectors) to store personal information and “important data” (which has not yet been defined, but is also likely to cover a broad range of commercial sectors) only in China. This reflects China’s failure to accept the notion that responsibility for privacy, cybersecurity, or other issues should flow with data wherever it is stored. Rather, it believes data governance should be dependent on the location of data storage—and government access and control of it.[15]

The Japanese survey’s first major finding is that 5 percent of firms (around 200) reported their cross-border data transfers are impacted by GDPR, while 8 percent of firms (around 320) reported the same with CSL. The survey finds 11 percent of firms regularly transfer both personal and nonpersonal data to foreign countries. This is despite the fact that on January 23, 2019, Japan was declared “adequate” by the EU, so flows of EU personal data between the two should have ceased to be an issue.[16] This headline finding about the impact is relatively large given the firms affected are likely to be the most global, innovative, and digital-intensive (which is what the authors think as well). If the impact of these data governance laws affects the largest and most globally competitive firms in an economy, then the broader impact on economic productivity and innovation could still be considerable. Additionally, the authors argue that, because approximately 20 percent of respondents said they were uninformed about the regulations, the impact may be even greater as these firms may be unaware of the relevant laws and the adverse effects these regulations will have on their business (for example, China’s CSL is still relatively new in that implementing regulations continue to be drafted, enacted, and enforced). Furthermore, if the survey includes responses from Japanese subsidiaries in the EU or China, and not just headquarters in Japan, the actual figure and impact may well be even larger still.

However, the overall number hides the considerable variance in impact by sector. For GDPR, 22 percent of information and communications technology (ICT) manufacturers, 20 percent of Internet service firms, 12.8 percent of business-machinery manufacturers, and 10 percent of chemical manufacturers reported at least “some impact.”[17] The number of sectors adversely affected by CSL was much broader and higher than GDPR—26.7 percent of Internet service firms; 21 percent of scientific research, professional, and technical service firms; 20.5 percent of business-machinery manufacturers; 17 percent of ICT manufacturers; 15 percent of chemical, textile, and apparel manufacturers; and 12 percent of professional service firms reported at least some impact.

The study also provides some insights into the nature of these flows. Among firms transferring data regularly, more than half are involved in intra-firm transfers, which highlights the critical role of data flows between subsidiaries and affiliates of multinational firms.[18] The survey’s focus on manufacturers and business-to-business operations is reflected in the fact that less than 1 percent of firms’ regular data transfers were directly with consumers.

To gauge the level of active raw-data collection and analysis, the survey asked about respondents’ adoption of Internet of Things technology at home (8 percent) and overseas (2 percent). Similarly, to understand how active firms had been adopting new technologies, the survey asked about adoptions of specific technologies. Over 80 percent of firms had websites, 68 percent had broadband Internet, 69 percent had a corporate intranet, 73 percent had enterprise resource planning software, 40 percent used cloud computing, 20 percent used social media and customer relations management software, only 7 percent had introduced 3D printing, and only 1 percent used blockchain.

The study used these responses to develop an indirect assessment (a cross-tabulation) impact of GDPR and CSL. It shows that despite the seemingly low overall number of firms impacted, the impact is much higher for firms actively engaged in data collection and analysis. For firms reporting “some impact,” the study asked about their reactions. More than 40 percent of these firms strengthened in-house data management in response to GDPR. Further, when asked about specific responses to China’s and other countries’ cybersecurity laws, 21 percent of firms had tightened security measures (such as via introducing firewalls, log recording, and encryption); 18 percent had introduced security policies, manuals, audits, and training; and 7 percent had increased spending for new staff and IT services.

In terms of assessing both the impact to and reaction from those firms affected, most interesting is how GDPR acts as a de facto data localization measure in that 30 percent of firms surveyed moved the location of their data storage to inside the EU. Again, this was despite EU-Japan adequacy.[19] However, this is not completely surprising, as the large financial penalties and considerable uncertainty about how GDPR will be enforced compels firms to be overly cautious in how they manage data. More broadly, it highlights uncertainty will likely lead to costs beyond the direct financial costs associated with compliance. Furthermore, a few firms (0.5 percent) shut down, converted, or curtailed their EU operations in response to GDPR. This is one of the many impacts that have been seen since GDPR came into force.[20]

For China’s CSL and other countries with similar restrictions (India, Indonesia, and Russia), the impact on affected firms is considerably different. The percentage of firms changing, shrinking, or even stopping their business in China is nearly 5 percent, which is far higher than what’s been observed so far in the case of GDPR. Meanwhile, around 28 percent of firms have shifted data storage and processes as a result of these regulations, while another 8.7 percent have outsourced such services to local providers—something the Chinese government presumably had in mind when drafting the CSL. Reflecting the uncertainty regarding the implementation of cybersecurity laws in China and other countries, 56 percent of firms stated that they have not yet considered specific reactions.

OECD is one of the few international institutions that has developed the expertise and a program of research and policy analysis to build detailed, useful research and analysis on cross-border data flows and digital trade. Key to this is two online surveys of firms on cross-border data issues.

In “Trade and Cross-Border Data Flows,” OECD conducted a first-of-its-kind (online) survey between August 2015 and March 2016.[21] It received 259 responses from firms headquartered in 48 countries (many from the EU, Japan, and the United States), representing 21 sectors. While the small sample size, the means of distribution, and geographic diversity (among other biases involved in this and other surveys) mean only limited statistical inferences can be made, the survey provides some additional useful insights for policymakers. It also provides a basis for future work.[22] Pointing toward the difficulty in doing this type of survey work, the qualitative part of the survey is not as comprehensive, as a number of firms either did not answer some of the questions or were unable to provide the requested information.

Nearly 100 percent of firms identified privacy protection as a key element in ensuring consumer trust, yet 78 percent of firms expressed concerns about emerging data regulations. This suggests that, despite there being a common interest in protecting the privacy of consumers, the way emerging measures are currently tackling the issue is being questioned. This is a major concern given half of the firms—be they in the ICT, financial, or manufacturing sector—responded that personal data represents a significant amount of the data they handle.

Among the most interesting insights from this survey was firms highlighting the cost and complexity in splitting personal from non-personal data. The majority of firms stated separating data was costly or very costly. Consistent across sectors, this finding has broad ramifications for the digital economy. It means that if firm is unable to separate personal and non-personal data, a restriction on cross-border transfers of personal or personally identifiable data might in effect become a measure affecting all types of data. This contrasts with the view shared by some advocates and policymakers that data privacy measures only affect a very small and specific category of data.

This is important given the growing restrictions around personal data and the fact that the European Union uses differentiated frameworks for the transfer of personal and nonpersonal data within the region and between the region and the rest of the world. In mid-2019, the EU enacted a framework to allow the free flow of nonpersonal data in the European Union.[23] In doing so, the European Union highlighted a Deloitte study that estimates removing internal barriers to data flows would generate additional economic growth of 4 percent of gross domestic product (GDP) by 2020.[24] Yet the European Union fails to fully apply the same valid justifications to remove barriers to data flows between itself and the rest of the world.

In “Digital Trade and Market Openness,” OECD followed up with another online questionnaire (made available in December 2017 and January 2018), which was distributed via personal contacts and the Business Industry Advisory Committee to OECD.[25] Again, while not large or representative, the survey has sufficient variance to provide some useful initial insights. The survey received responses from 77 firms operating in 18 countries, with 55 percent of firms considered micro enterprises (fewer than 10 employees), 24 percent small to medium-sized enterprises (between 10 and 250 employees), and 21 percent large firms (over 250 employees). The majority were based in the United States (43), followed by the European Union (6), and Russia (6), with the rest from Thailand, Turkey, Jordan, Singapore, and Saudi Arabia. The firms operated in the retail (34 firms) and services sectors (31 firms).

The survey covers the digitalization of firms as well as perceptions of barriers to digital trade. Barriers to information flows were the top issue, followed by trade facilitation, consumer protection, payment issues, and digital identity. As OECD has stated, although the small sample makes it hard to derive concrete observations regarding these rankings, the results nevertheless highlight the key issues that are of concern to firms engaged in digital trade. Furthermore, the fact that they range across all elements, from goods to services to digital connectivity, provides support to the notion that new approaches to market openness need to take into consideration these digital issues (which can otherwise restrict or close market access).

Inter-American Development Bank Survey on Barriers to E-commerce and Digital Trade

To its credit, the Inter-American Development Bank (IDB) has been expanding its research, analysis, and policy advocacy on digital economy issues, including through the use of surveys to assess issues that affect cross-border digital trade and e-commerce. A 2017 report by Kati Suominen (who does a lot of work on digital economy surveys) for the IDB, Accelerating Digital Trade in Latin America and the Caribbean, explores Latin American companies’ use of the Internet in their operations and trade.[26] The report surveyed almost 300 companies in Latin American from IDB’s ConnectAmericas database.[27] It also includes case studies of firms that rely on the Internet for selling and sourcing goods and services. While the dataset is somewhat limited, it does provide insights into a relatively unexplored area of study, and looks at cross-border flows in order to capture the market effects of regulation in a way traditional methods do not.

The survey covers companies with revenue under $500 million, and spans sectors including manufacturing, business, and ICT. Almost all of those firms surveyed (94 percent) use the Internet (which is not surprising given the survey was conducted through a digital platform); 84 percent use it for advertising purposes; 80 percent for their own market research; and 75 percent use the Internet for product delivery. Not surprisingly given the sampling, cross-border sales were found to be important to the majority of firms, with 60 percent making foreign purchases online and 50 percent making cross-border online sales.

The study asked about 11 distinct barriers to trade, including border-trade challenges and data localization policies. It found that 45 percent of firms highlighted data localization as a medium, important, or very high obstacle in their cross-border operations. However, data localization ranked behind other issues in terms of overall importance, including market access issues, poor logistics, customs issues, and uncertain liability and payment rules. Data localization was a very significant barrier to firms in the education (57 percent) and business services (37 percent) sectors. In conclusion, it advocates for policymakers to eschew data localization, as the free flow of data is critical to firm competitiveness and customer service.

This IDB data and policy research has been well received, as various countries in Latin America, especially Pacific Alliance countries (Colombia, Chile, Mexico, and Peru), are negotiating a digital agenda among themselves. ITIF addressed some of the policy issues highlighted in these surveys in its report Crafting an Open and Innovative Digital Trade Agenda for Latin America.[28]

Little empirical or internationally comparable statistical information exists regarding the size of and barriers to data flows and digital trade. The Bloomberg article “Fortnite Skins Are Key to the Future of Global Trade” is indicative of this in that it shows how in-game purchases are a growing example of digital trade, yet go largely unnoticed and measured.[29] OECD’s work is by far the most advanced effort to help fill this gap. While there are legitimate policy concerns associated with cross-border data flows (e.g., the inefficient legal processes involved in law enforcement requesting data stored in another jurisdiction), the majority of measures are based on a mistaken and misguided understanding of how data flows actually affect the protection, management and use of data—and lack a proper analysis of their trade-inhibiting effects.[30]

As OECD has pointed out, surveys are useful tools, but have their own caveats—such as biases arising from the channels of distribution and self-selection. OECD has highlighted the need for resources and cooperation when surveying a larger population of firms in order to get a more representative sample. But these are all issues that can be addressed with the right structure, support, and cooperation. In terms of resources, this should involve survey-design experts creating a survey that balances questions that reflect a detailed understanding of the digital economy, digital technology, and related policies; complexity (not asking too many questions about non-core issues); and simplicity (not making questions too complicated) in order to get as many insightful responses from firms as possible. This could involve cooperation between central institutions with digital policy expertise (such as OECD and the Asia-Pacific Economic Cooperation) to act as facilitators with respective global, regional, and national chambers of commerce, trade associations, tech incubators, and other services and manufacturing groups.

The potential value of such an approach is already evident, as the previously detailed surveys fulfill their role in providing initial information on both which policy prescriptions can emerge and which observations for deeper analysis can be made. These surveys complement future econometric modelling by helping to inform estimates as to the extent and types of impacts, and if you get a large enough survey, can be the data on which you do some parts of the modelling. More broadly, these surveys highlight that policy uncertainty will likely lead to costs far beyond direct financial costs as surveys capture sentiment.

For example, the Japanese survey identifies the goal to establish a direct link with official statistics in order to enable Japanese analysts to explore whether, and how, basic firm attributes relate to a firm’s response to regulation of cross-border data transfers. Without this additional work, policymakers and researchers cannot discuss how a firm’s characteristics, such as size, productivity, or research and development intensity, affect its use of data and data transfers. Nor can they understand how a measure on one type of data (such as personal data) can have a broader impact given the nature of how firms collect and use data. On top of this, the Japanese researchers are working on additional research linking the survey results to firm-level data from official statistics. Firm-level interviews are extremely valuable in building stories and details about how modern firms use and transfer data. ITIF’s firm-level interviews on the impact of barriers to data flows and digitalization and manufacturing, while extremely valuable, reveal how hard it can be to find firms that are willing to specify in detail the impact of such policies.[31] It’s particularly difficult to get firms to talk about the country with the worst digital restrictions (China)—never mind be willing to be named—for the very real fear of retaliation.

Policymakers interested in improving their measurement and understanding of data flows and digital economic activity would be taking a large step in the right direction by simply building on existing surveys. The OECD Digital “Trade and Market Openness” questionnaire is on page 52 in Annex 4.[32] Other examples come from the United States International Trade Commission(USITC), including their 2018 survey of U.S. firms as part of its Global Digital Trade investigation into business-to-business and business-to-consumers issues.[33] There’s also USITC’s 2014 survey of U.S. firms as part of its investigation of digital trade in the Unites States and global economies (pages 253 to 272).[34] The survey covers obstacles to doing international business over the Internet, and firms’ use of both that data and the Internet. One key difference for non-U.S. policymakers to note is USITC can, under U.S. law, force firms to respond to their surveys.[35]

Policymakers should pay close attention to the identification and measurement of barriers to data flows and digital trade. ITIF has long tracked and analyzed restrictions on data flows, most notably in Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?[36] Countries can do this themselves, as the U.S. Trade Representative has started doing in identifying key barriers to digital trade in its annual National Trade Estimates report.[37] OECD’s Digital Services Trade Restrictiveness Index (started in early 2019) provides a significant step in the right direction.[38] However, it is limited in that it covers only 44 countries and does not include a detailed list of offending policies. The index would benefit from detailed case studies into the differential impact of certain restrictions. OECD is well placed to build on this work given it fits within its expertise on a broader range of economic issues, such as services trade.[39] Any follow-up effort by OECD would likely need to be collaborative to ensure it covers a broader range of countries and achieves a representative sample size—and that any analysis is truly objective, both from the European Union’s political sensitivities around data governance, digital trade, and data flows, and the social and political interests that motivate data restrictions in China, Vietnam, and Russia.

Countries, trade associations, and regional and multilateral organizations need to start using surveys to fill the current gap in measurement and understanding, as that gap otherwise creates a vacuum that allows or inadvertently contributes to more barriers to data flows. One key step for the United States would be for Congress to significantly increase the budget of the U.S. Census Bureau in order to increase its relatively anemic and underpowered surveys of firms regarding their IT and digital activities and investments, including cross-border data flows. It’s likely other countries would also benefit from doing the same with their statistical agencies.

At the domestic level, it’s a critical issue, as many developing countries consider their own data governance frameworks, and countries work together at WTO to develop a framework for global data governance as part of e-commerce talks. For countries that are more advanced in their approach to digital trade and economic issues, efforts to improve how they capture and analyze digital economic and trade activity—and the key barriers to them—need to be part of their comprehensive digital trade and economic strategies. Whatever stage of development or digital policy a country is dealing with, they would benefit from having better data on the increasingly digital nature of trade and economic activity.

About the Author

Nigel Cory is associate director, trade policy, with the Information Technology and Innovation Foundation. He previously worked as a researcher at the Sumitro Chair for Southeast Asia Studies at the Center for Strategic and International Studies. Prior to that, he worked for eight years in Australia’s Department of Foreign Affairs and Trade, which included positions working on G20 global economic and trade issues and the Doha Development Round. Cory also had diplomatic postings to Malaysia, where he worked on bilateral and regional trade, economic, and security issues; and Afghanistan, where he was the deputy director of a joint U.S./Australia provincial reconstruction team. Cory holds a master’s in public policy from Georgetown University and a bachelor’s in international business and a bachelor’s in commerce from Griffith University in Brisbane, Australia.

About ITIF

The Information Technology and Innovation Foundation (ITIF) is a nonprofit, nonpartisan research and educational institute focusing on the intersection of technological innovation and public policy. Recognized as the world’s leading science and technology think tank, ITIF’s mission is to formulate and promote policy solutions that accelerate innovation and boost productivity to spur growth, opportunity, and progress.

[40] The World Bank—in collaboration with the United Nations Conference on Trade and Development (UNCTAD) and in consultation with organizations such as International Trade Center, United Nations Statistical Division (UNSD) and the World Trade Organization (WTO)—developed the World Integrated Trade Solution (WITS). See: https://wits.worldbank.org/about_wits.html.

[41] “A striking finding of the OECD’s STRI analysis is that countries with more restrictive service sectors import and export fewer services, with the effect on exports twice that on imports. In aggregate for the 12 sectors in the analysis, the result implied that an increase in the STRI of 1 basis point (a more restrictive regime) would reduce exports by 0.6 percent and imports by 0.3 percent.” Hildegunn Kyvik Nordåsi and Dorothée Rouzet, The Impact of Services Trade Restrictiveness on Trade Flows: First Estimates, (Paris: The Organization for Economic Cooperation and Development, OECD Trade Policy Papers, No.178,), http://dx.doi.org/10.1787/5js6ds9b6kjb-en; New research extends the OECD STRI to 23 other developing countries not covered by the OECD, showing that the ad valorem equivalent of services restrictions are high in these developing countries. Bernard Hoekman and Ben Shepherd, “Services trade policies and economic integration: New evidence for developing countries,” VOX EU, January 3, 2020, https://voxeu.org/article/services-trade-policies-and-economic-integration.

Related ITIF Content

KEY TAKEAWAYS

Surveys that accurately measure the extent and value of cross-border data flows—and the impact of government restrictions on them—are few and far between. This information gap hobbles policy debates and trade negotiations.

Most policy measures affecting data flows are based on mistaken notions of how transferring data from place to place affects its level of protection, or its management and use—and they underestimate the impact of restricting data flows.

Countries, trade associations, and regional and multilateral organizations should help fill the gap in measurement and understanding of cross-border data flows by conducting surveys that build on those of the OECD and others.

Surveys can reflect biases arising from self-selection and channels of distribution. But these issues can be addressed with the right structure, support, and cooperation.